41 California Privacy Experts Urge Major Changes to the California Consumer Privacy Act
41 California privacy lawyers, professionals, and professors are urging the California legislature to make major changes to the California Consumer Privacy Act (CCPA), which the legislature hastily passed in 2018. The letter highlights six significant problems with the CCPA, including:
- The CCPA affects many businesses who never had a chance to explain the law’s problems to the legislature;
- The CCPA imposes excessive costs on small businesses;
- The CCPA requires businesses to waste money complying with multiple privacy laws;
- The CCPA degrades consumer privacy in several ways;
- The CCPA’s definitions are riddled with problems; and
- The CCPA reaches beyond California’s borders.
The text of the letter is below. A PDF copy of the letter is also available.
“I’m amazed by how many California privacy experts have very serious concerns about California’s new privacy law,” said Prof. Eric Goldman, co-director of the High Tech Law Institute at Santa Clara University School of Law, who spearheaded the letter. “Many of those experts, including some signatories to the letter, will personally make a lot of money due to the CCPA’s substantial legal compliance costs and multitudinous ambiguities. Nevertheless, despite their financial self-interest, they would rather see the legislature improve the law.”
Media coverage of the letter:
[The letter text:]
January 17, 2019
The Honorable Toni Atkins
Senate President Pro Tempore
State Capitol, Room 205
The Honorable Patricia Bates
Senate Minority Leader
State Capitol, Room 305
The Honorable Anthony Rendon
State Capitol, Room 219
The Honorable Marie Waldron
Assembly Republican Leader
State Capitol, Room 3104
Dear Senators and Assemblymembers:
We are California-licensed or -based privacy lawyers, professionals, and law professors. We write to express our concerns about the California Consumer Privacy Act (“CCPA”) and its urgent need for major changes. This letter highlights six areas warranting extra consideration as the California legislature endeavors to improve the law. This is not a comprehensive or detailed list of all desirable changes to the CCPA, but we would be happy to work with you or your staff to develop such a list or provide more specifics about our concerns.
1) Application to Stakeholders Who Did Not Provide Input. Most US privacy laws are “sectoral-based,” i.e., they are optimized for the needs of specific industries. In contrast, the CCPA applies across all industries, with only limited exceptions. Because of the CCPA’s rushed approval process, the California legislature did not hear from thousands of different industries affected by the CCPA. The CCPA will likely need many changes to properly accommodate this wide range of industries. As the legislature works to improve the CCPA, it would be beneficial to conduct the kind of broad-based fact gathering from multiple constituencies that the legislature normally does when evaluating a major law.
2) Compliance Costs for Small Businesses. The CCPA unsuccessfully tried to exclude small businesses from its requirements. The definition of “business” likely reaches many small businesses, including low-margin retail businesses that store 137 unique credit cards a day and tiny ad-supported websites/blogs that get only 137 unique visitors per day. These businesses cannot afford the CCPA’s substantial compliance costs, so they may either ignore the law or exit the market. To avoid these undesirable results, the CCPA should increase its compliance thresholds or scale compliance obligations to business size (or similar proxies).
3) Inconsistencies with the GDPR. Many California businesses recently spent a lot of money on GDPR compliance. Substantial differences between the GDPR and CCPA will impose a new and expensive round of compliance work on those businesses. Worse, those extra expenses probably will not incrementally enhance California consumers’ privacy. The legislature could help by harmonizing the CCPA and the GDPR to eliminate the need for two different compliance programs; or by providing a CCPA safe harbor for GDPR-compliant businesses.
4) The CCPA Counterproductively Undermines Consumer Privacy. Several provisions of the CCPA potentially undermine consumer privacy. For example, the law still seems to mistakenly require businesses to publicly disclose consumers’ private data (1798.110(c)(5)).
More generally, to enable the required access, erasure, and portability of personal information, businesses may need to make all of their data identifiable, even data they would prefer to store in non-identifiable ways.
Furthermore, several well-publicized incidents have demonstrated how the GDPR’s access and data portability mechanisms expose consumers to additional risks of disclosure to malicious hackers or third parties. The CCPA’s data access and portability provisions create similar risks. To avoid this unwanted result, businesses—at substantial expense—try to confirm requestors’ identities, which counterproductively may require the businesses to collect more personal information from consumers. As a result, the CCPA’s data access, erasure, and portability provisions should be calibrated to ensure they enhance, rather than reduce, consumer privacy.
5) Overbroad Definitions. The definitions are the CCPA’s foundation, and their clarity will dictate the law’s success or failure. Numerous statutory definitions are overbroad, imprecise, or simply unhelpful. Without amendment, they will cause substantial confusion and compliance hardships. We have already mentioned the miscalibrated definition of “business.” Other examples include:
- The definition of “consumer” problematically extends to company employees and business-to-business contacts.
- The definition of “personal information” has numerous problems. Most importantly, it applies to data that no consumer would ever consider identifiable. Also, some specific examples of personal information, such as “thermal” and “olfactory” information, are nonsensical, as is the current scope and treatment of “publicly available” information.
- The repeated references to “households”—a concept not in the GDPR—unhelpfully expands the definition of one person’s “personal information” to reach data about other people. It also means that a business’ data practices towards one person can affect other people in unexpected and potentially unwanted ways.
- The definition of “sale” does not clarify when data transfers or sharing are done for “valuable consideration,” a question of critical importance to many California businesses.
- The definitions of “service provider” and “third party” are unclear, and they diverge from the GDPR’s definitions of data controllers and data processors. Furthermore, the two definitions leave open some key gaps, such as the treatment of non-profit vendors.
6) Extraterritorial Reach. The CCPA purports to reach activity outside of California. Two examples:
* the law claims to regulate businesses with no nexus with California other than being affiliates of California-based businesses.
* the thresholds for a regulated “business” apparently count non-California-based activities. For example, the $25M threshold equally applies to businesses that receive all revenues from California residents and businesses that receive only $1 of revenue from California residents. If so, a business without any ties to California must comply with the CCPA (at substantial expense) the moment it accepts a single dollar from a California resident.
The CCPA’s purported application to activity outside of California raises substantial Constitutional concerns and potentially exposes the state to expensive and distracting litigation. More importantly, it causes tremendous uncertainty and possibly wasted expenditures for businesses without real ties to California. The legislature should clarify the CCPA’s applicability to activities outside California.
* * *
Everyone has acknowledged that the CCPA remains a work-in-progress, but there may be some misapprehensions about the scope and scale of the required changes still remaining. In our view, the CCPA needs many substantial changes before it becomes a law that truly benefits California. We appreciate your work on these important matters.
Professor Eric Goldman
Co-Director, High Tech Law Institute
Co-Supervisor, Privacy Law Certificate
Santa Clara University School of Law
500 El Camino Real
Santa Clara, CA 95053
…on behalf of himself and the signatories listed on the subsequent page. All signatories are signing as individuals and not on behalf of their employers; any listed affiliations are for identification purposes only.
Heather A. Antoine
Mania Aslan, CIPP/US, CIPP/E, CIPM
Deepali Brahmbhatt, One LLP and CIPP/US
Rafae Bhatti, CIPP/US, CIPM
Alan Chapell, Chapell & Associates and CIPP/US
Allison Cohen, Loeb & Loeb and CIPP/US
Brendan Comstock, CIPP/US
Tanya Forsheit, Frankfurt Kurnit Klein & Selz and CIPP/US, CIPT
Also: Adjunct Professor, Loyola Law School
Alan L. Friel, BakerHostetler and CIPP/US, CIPM
Also: Adjunct Professor, Loyola Law School
Elizabeth Fu, CIPP/US
Daniel Goldberg, Frankfurt Kurnit Klein & Selz and CIPP/US
Porscha Guasch, CIPP/US
Ganka Hadjipetrova, CIPP/US, CIPM
Michael Hellbusch, Rutan & Tucker and CIPP/US, CIPP/E, CIPM
Deborah Shinbein Howitt, Lewis Bess Williams & Weese and CIPP/US
Lily Lei Kang, CIPP/US
Bennet Kelley, Internet Law Center
Irene Koulouris, CIPP/US
Amy Lawrence, Frankfurt Kurnit Klein & Selz and CIPP/US
Letitia Lee, CIPP/US
Christine Lyon, Morrison & Foerster
Olivia Manning, CIPP/US, CIPM
Jess Miers, CIPP/US
Chiara Portner, Hopkins & Carley, CIPP/US
Hannah Poteat, CIPP/US
Kristie D. Prinz
Kristen Psaty, CIPP/US
Michael G. Rhodes, Cooley LLP
Michael Scapin, CIPP/US
Andrew Serwin, Morrison & Foerster and CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM
Brent Tuttle, CIPP/US, CIPP/E, CIPT
Pamela C. Vavra, Pamela C. Vavra Law Offices
Sophia Vogt, CIPP/US
Charlie Vuong, CIPP/US
Randy Wilson, CIPP/US, CIPP/EU, CIPM
* California Amends the Consumer Privacy Act (CCPA); Fixes About 0.01% of its Problems
* Recent Developments Regarding the California Consumer Privacy Act
* The California Consumer Privacy Act Should Be Condemned, Not Celebrated
* A First (But Very Incomplete) Crack at Inventorying the California Consumer Privacy Act’s Problems
* Ten Reasons Why California’s New Data Protection Law is Unworkable, Burdensome, and Possibly Unconstitutional (Guest Blog Post)
* A Privacy Bomb Is About to Be Dropped on the California Economy and the Global Internet
* An Introduction to the California Consumer Privacy Act (CCPA)